Cyber Risk Update 27 OCT 2023

Local Discord Name Change

We are searching for a new server name! Our aim is to foster broader participation. The team supporting this server handles all aspects of critical infrastructure. While the majority pertains to SLTT (State, Local, Tribal, and Territorial), we're actively seeking collaboration opportunities across various other critical infrastructure sectors. So, we're reaching out to you for suggestions on a fresh server name. We thought something with CIRK in the name could be a fitting choice. 'CIKR' (Critical Infrastructure and Key Resources). Join the discord server and vote or suggest t new name. You will find the poll under the general channel (last day to vote 27 OCT 2023). (TLP Clear Only) Invite: https://discord.gg/PGz3NDKb5V

Trends

• Gartner’s 2024 predictions: Lots of AI, changing cybersecurity roles, electricity rationing, and more. Gartner’s top predictions for enterprise IT organizations are dominated by AI, which is influencing trends including employee unionization, application modernization, and smart robots. https://www.networkworld.com/article/3708755/gartners-2024-predictions-lots-of-ai-changing-cybersecurity-roles-electricity-rationing-and-more.html

• 2023 Ransomware Attacks Up More Than 95% Over 2022, According to Corvus Insurance Q3 Report https://www.darkreading.com/attacks-breaches/2023-ransomware-attacks-up-more-than-95-over-2022-according-to-corvus-insurance-q3-report

• What Would a Government Shutdown Mean for Cybersecurity? https://www.darkreading.com/vulnerabilities-threats/what-would-government-shutdown-mean-for-cybersecurity

• $10.5 trillion. That is one projection for the costs of global cybercrime by 2025 – which would represent the greatest transfer of economic wealth in history.

• Cybersecurity Dive: Novel zero-day exploits fuel Q3 surge in DDoS attacks (10/26) https://www.cybersecuritydive.com/news/zero-day-surge-ddos-attacks/697928/

Cyber Incidents

• BeyondTrust, Cloudflare and 1Password targeted after recent Okta breach https://www.scmagazine.com/news/beyond-trust-cloudflare-and-1password-are-all-targets-of-recent-okta-breach

• Orange County, Calif., District Attorney’s Office Hacked https://www.govtech.com/security/orange-county-calif-district-attorneys-office-hacked

• University of Michigan employee, student data stolen in cyberattack https://www.bleepingcomputer.com/news/security/university-of-michigan-employee-student-data-stolen-in-cyberattack/

• Detroit-Area District Cancels Classes Due to Cyber Incident https://www.govtech.com/education/k-12/detroit-area-district-cancels-classes-due-to-cyber-incident

• Cole & Van Note Announces City of Victorville Data Breach Investigation https://www.newstrail.com/cole-van-note-announces-city-of-victorville-data-breach-investigation/

Vulnerabilities

• Act Now: VMware Releases Patch for Critical vCenter Server RCE Vulnerability https://thehackernews.com/2023/10/act-now-vmware-releases-patch-for.html

• As Citrix Urges Its Clients to Patch, Researchers Release an Exploit. In the race over Citrix's latest vulnerability, the bad guys have a huge head start, with broad implications for businesses and critical infrastructure providers worldwide. https://www.darkreading.com/vulnerabilities-threats/citrix-urges-clients-patch-researchers-release-exploit

• New iLeakage attack steals emails, passwords from Apple Safari https://www.bleepingcomputer.com/news/security/new-ileakage-attack-steals-emails-passwords-from-apple-safari/

• Cybersecurity Awareness Month 2023: Employees and their devices are still at the center of a security strategy. Put awareness training at the center of a strategy to secure employee devices. https://www.scmagazine.com/perspective/cybersecurity-awareness-month-2023-employees-and-their-devices-are-still-at-the-center-of-a-security-strategy

• Hackers can force iOS and macOS browsers to divulge passwords and much more. Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets. It works by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices. iLeakage requires minimal resources to carry out. The vulnerability it exploits hasn’t been patched yet. https://arstechnica.com/security/2023/10/hackers-can-force-ios-and-macos-browsers-to-divulge-passwords-and-a-whole-lot-more/

TTP & Malware

• Meet Rhysida, a New Ransomware Strain That Deletes Itself. Emerging RaaS operation uses Rhysida ransomware paired with a wicked infostealer called Lumar, researchers warn. https://www.darkreading.com/attacks-breaches/meet-rhysida-a-new-ransomware-strain-that-deletes-itself

• The Hacker News: Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection (10/24) https://thehackernews.com/2023/10/backdoor-implant-on-hacked-cisco.html

• Threat actors see opportunity when new technology is designed with inadequate security as these recent incidents prove. https://www.csoonline.com/article/655401/oops-when-tech-innovations-create-new-security-threats.html

• The prolific threat actor known as Scattered Spider has been observed impersonating newly hired employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts and breach organizations across the world. https://thehackernews.com/2023/10/microsoft-warns-as-scattered-spider.html/

Cybersecurity Awareness Month

• Don't Wait, Update https://www.learnsecurity.org/single-post/don-t-wait-update

• Spooktacular Cybersecurity: Stay Safe with Multifactor Authentication (MFA) This Halloween https://www.learnsecurity.org/single-post/spooktacular-cybersecurity-stay-safe-with-multifactor-authentication-mfa-this-halloween

• 4 Easy Ways to Stay Safe Online https://www.learnsecurity.org/single-post/4-easy-ways-to-stay-safe-online

• Cybersecurity Awareness Month Kick Off https://www.learnsecurity.org/single-post/cybersecurity-awareness-month-kick-off

• San Diego Business Journal: Phishing Is Best Caught Early (10/16) https://www.sdbj.com/cyber-security/phishing-is-best-caught-early/

• Haunted by Weak Passwords? Unlocking the Secrets of Strong Passwords: A Spook-Free Guide for Cybersecurity Awareness Month. https://www.learnsecurity.org/single-post/haunted-by-weak-passwords

Third-Party (Supply Chain)

• 6 most common types of software supply chain attacks explained. Not all software supply chain attacks are the same. Here are the methods attackers currently use to corrupt legitimate software through third parties. https://www.csoonline.com/article/570743/6-most-common-types-of-software-supply-chain-attacks-explained.html

• Learn21, a nonprofit that works with schools to implement education technology, is celebrating "Scary App Month" along with Halloween. A survey found that the average school district used 2,500 ed-tech tools during the 2022-23 school year, and there is "no way that somebody vetted 2,500 privacy policies," says Stacy Hawthorne of Learn21.

• Full Story: Education Week (10/23) https://www.edweek.org/technology/nonprofit-uses-halloween-run-up-to-showcase-scary-privacy-issues-in-learning-apps/2023/10

Nation-State

• U.S. Secretary of State Antony Blinken has expressed deep concerns about the situation in the southeastern outskirts of Europe. Azerbaijan Could Invade Armenia. The U.S. Must Intervene. https://time.com/6327596/turkey-armenia-azerbaijan-invade-united-states/

• Government CIO Media: Cyber Agencies Respond to Digital Battlefields of the Israel-Hamas War (10/24) https://www.governmentciomedia.com/cyber-agencies-respond-digital-battlefields-israel-hamas-war

• Kazakh Attackers, Disguised as Azerbaijanis, Hit Former Soviet States. The YoroTrooper group claims to be from Azerbaijan and even routes its phishing traffic through the former Soviet republic. https://www.darkreading.com/dr-global/kazakh-attackers-disguised-as-azerbaijanis-hit-former-soviet-states

• Roundcube 0-day used to steal European government emails. The bug in the popular email service Roundcube was patched after being exploited by Russia- and Belarus-aligned cyberespionage gang Winter Vivern. https://www.scmagazine.com/news/roundcube-0-day-used-to-steal-european-government-emails

Reports

• A School’s Guide to Cybersecurity: Insights Into The 2023 MS-ISAC K-12 Report https://www.cisecurity.org/insights/webinar/a-schools-guide-to-cybersecurity-insights-into-the-2023-ms-isac-k-12-report

• Report Suggests CISA Should Dominate Federal Cybersecurity https://www.govinfosecurity.com/report-suggests-cisa-should-dominate-federal-cybersecurity-a-23383

• Next Gov: CISA needs more money and less red tape, report stays (10/23) https://www.nextgov.com/cybersecurity/2023/10/cisa-needs-more-money-and-less-red-tape-report-stays/391447/

Dis-mis-mal-information

• Brands running ads on social media need to add war and other keywords to content adjacency controls and boost moderation practices amid the growing spread of misinformation and disinformation related to the Israel-Hamas conflict, suggests a NewsGuard report. People engaged with posts featuring misinformation almost 1.35 million times during the first week of hostilities and global views surpassed 100 million. https://www.mediapost.com/publications/article/390330/the-high-cost-of-misinformation-for-brands-publis.html

AI

• Biden to Sign Executive Order Addressing AI as National Security Tool https://www.wsj.com/tech/ai/biden-moves-to-embrace-ai-as-national-security-tool-in-executive-order-d6172746

• CNBC: Apple, caught by surprise in generative AI boom, to spend $1 billion per year to catch up: Report (10/23) https://www.cnbc.com/2023/10/23/apple-to-spend-1-billion-a-year-in-ai-catch-up-efforts-report-.html

Incident Response

• Ransomware attacks are getting faster: How to adjust incident response plans accordingly https://www.scmagazine.com/resource/ransomware-attacks-are-getting-faster-how-to-adjust-incident-response-plans-accordingly

• #StopRansomware Guide. This document is a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. This publication was developed through the Joint Ransomware Task Force (JRTF), an interagency body established by Congress in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to ensure unity of effort in combating the growing threat of ransomware attacks. https://www.cisa.gov/resources-tools/resources/stopransomware-guide

Cyber Criminals

• 34 Cybercriminals Arrested in Spain for Multi-Million Dollar Online Scams https://thehackernews.com/2023/10/34-cybercriminals-arrested-in-spain-for.html

• The English-speaking cyberattack group behind the MGM and Caesars Entertainment attacks is adding unique capabilities and gaining in sophistication. Prepare now, Microsoft says. https://www.darkreading.com/remote-workforce/microsoft-0ktapus-cyberattackers-evolve-most-dangerous-status